Award-winning news, views, and insight from the ESET security community

Android banking trojan masquerades as Flash Player and bypasses 2FA

This malware masquerades as Flash Player, behaves like a screen locker, and can bypass two-factor authentication. This combination of features turns it into a powerful tool for stealing money from victims’ bank accounts.

This malware masquerades as Flash Player, behaves like a screen locker, and can bypass two-factor authentication. This combination of features turns it into a powerful tool for stealing money from victims’ bank accounts.

Active users of mobile banking apps should be aware of a new Android banking trojan campaign targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, detected by ESET security products as Android/Spy.Agent.SI, can steal login credentials from 20 mobile banking apps.The list of target banks includes the largest banks in each of the three target countries (A full list can be found in the final section of this article ). Thanks to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.

Analysis

The malware masquerades as Flash Player, with a legitimate-looking icon.

It was available on several servers. These servers were registered in late January and February 2016. Interestingly, the URL paths to the malicious APK files are regenerated each hour – maybe to avoid URL detection by antivirus software.

Figure 1

Malicious sites hosting Android/Spy.Agent.SI

After downloading and installing the app, the user is requested to grant the application device administrator rights. This self-defense mechanism prevents the malware from being uninstalled from the device. The Flash Player icon is then hidden from the user’s view, but the malware remains active in the background.

After that, the malware communicates with a remote server. Communication between the client and the server is encoded by base64. First, the malware sends device information such as model type, IMEI number, language, SDK version and information about whether the device administrator is activated. This information is sent to the server every 25 seconds. The malware then gathers the package names of installed applications (including mobile banking apps) and sends them to the remote server. If any of the installed apps are targets of the malware, the server sends a full list of 49 target apps, although not all of these are directly attacked.

The malware manifests itself as an overlay, appearing over the launched banking application: this phishing activity behaves like a lock screen, which can’t be terminated without the user entering their login credentials. The malware does not verify the credibility of the data entered, instead sending them to a remote server, at which point the malicious overlay closes. The malware does not focus only on mobile banking apps, but also tries to obtain Google account credentials as well.

The first versions were simple, with an easily identifiable malicious purpose. Later versions featured better obfuscation and encryption.

Process summary

If a target application is launched, the malware is triggered and a fake login screen overlays the original mobile banking one, with no option to close it.

Figure 2 – Communication with server

After the user fills in their personal data, the fake screen closes and the legitimate mobile banking is shown.

As mentioned earlier, all the information exchanged between the device and server is encoded, except for the stolen credentials, which are sent in plain text.

Figure 3 – Credentials sent in plain text

The malware can even bypass 2FA (two-factor authentication) by sending all received text messages to the server, if requested. This allows the attacker to intercept all SMS text messages from the bank and immediately remove them from the client device, so as not to attract any suspicion.

How to remove the malware

When the user tries to uninstall the malware, two different scenarios can occur. First, the user has to disable administrator rights and then uninstall the fake “Flash Player” from the device. Deactivating administrator privileges can have two possible outcomes. The simpler one is where the user first deactivates administrator rights in Settings -> Security -> Device administrators -> Flash Player-> Deactivate and then ignores the bogus alert and chooses OK.

Figure 4 – Deactivating administrator rights

The user is then able to uninstall the malware via Settings -> Apps/Application manager -> Flash Player -> Uninstall.

Removal can become more complicated if the device receives a command from the server to disable deactivation of device administrator rights. If this happens, when the user tries to deactivate it, the malware creates an overlay activity in the foreground which prevents the user from clicking on the confirmation button. Deactivating administrator rights will therefore fail.

Figure 5 – Overlay screen displayed by the malware

Another method to safely deactivate administrator privileges is to enter Safe mode. When booting to Safe mode, third-party applications are not loaded or executed, and the user can safely deactivate administrator privileges, as in the first scenario, and thereby uninstall the application. ESET solutions detect this malware as Android/Spy.Agent.SI.